Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
769
Views
0
Helpful
8
Replies

ASA 8.4 static NAT issue

Ashley Sahonta
Level 1
Level 1

‎02-08-2013 06:47 AM - edited ‎03-11-2019 05:58 PM

Hi,

I have a small lab setup with the ASA connecting to an 887 router (for internet) and a 3550 switch for LAN. I am also trying to setup two routers in the internal network that need to be accessed from the internet for DMVPN. Both routers can access the internet, however as soon as I apply the static NAT statements on the ASA neither can access the internet or can be accessed from the internet.

For testing purposes I have only permitted ICMP and the port numbers for the DMVPN traffic.

NAT statements:

object network dmvpn-hub1

host 192.168.50.5

nat (inside,outside) static x.x.x.x

access-list OUTSIDE-IN extended permit gre any object dmvpn-hub1

access-list OUTSIDE-IN extended permit esp any object dmvpn-hub1

access-list OUTSIDE-IN extended permit udp any object dmvpn-hub1 eq isakmp

access-list OUTSIDE-IN extended permit icmp any object dmvpn-hub1

access-list OUTSIDE-IN extended permit udp any object dmvpn-hub1 eq 4500

I am curious as to why it causes this issue. Any help would be much appreciated.

Thanks

Labels:
0 Helpful
8 Replies 8

jj27
Spotlight
Spotlight

‎02-08-2013 07:08 AM

If you do show access-list OUTSIDE-IN do you see the rules incrementing the hit count?

If you do show arp from the 887 router do you see an IP and MAC address resolved in the table for the IP in question?

0 Helpful

Ashley Sahonta
Level 1
Level 1
In response to jj27

‎02-08-2013 07:11 AM

The answer is no to both of those questions. The funny thing is when I do a packet-tracer it shows it as passing

0 Helpful

jj27
Spotlight
Spotlight
In response to Ashley Sahonta

‎02-08-2013 07:14 AM

Well if the answer is no to those questions, then there is an issue between the 887 and the ASA.   Is it an issue with attempting to use a static IP that is not assigned to your internet line?  Doing a packet tracer from the inside to the outside will always work because its simply doing a logical test of the firewall rules and NAT.

0 Helpful

Ashley Sahonta
Level 1
Level 1
In response to jj27

‎02-08-2013 07:16 AM

No, I have a public block of IPs. I did see other posts where others had similar issues to mine. Thought it might have been something I missed.

0 Helpful

jj27
Spotlight
Spotlight
In response to Ashley Sahonta

‎02-08-2013 07:19 AM

Well what you're trying to do is very basic.  Is this the first NAT protected device you're attempting to allow connectivity to? It's a stupid question, but is the command access-group OUTSIDE-IN in interface outside applied?  Also, if the public IP block assigned differs from the LAN block on the 887 router you may need to add an IP route for the IP block to the outside interface of the ASA.

0 Helpful

Ashley Sahonta
Level 1
Level 1
In response to jj27

‎02-08-2013 07:24 AM

Yeah, indeed it is basic. The ACL is applied and the public block is the same subnet. Also, there is no ACL on the 887 router.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Ashley Sahonta

‎02-08-2013 07:39 AM

Hi,

Any chance you could share the rest of the ASA configurations (And perhaps even the router too). If need be partially remove public IP addresses and any other sensitive information.

- Jouni

0 Helpful

Ashley Sahonta
Level 1
Level 1
In response to jj27

‎02-09-2013 02:40 AM

Thanks for the replies on this. It turns out that proxy arp was required. Command below:

No sysopt noproxyarp

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card